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5 ! i J i ! " t if ml 1 ^ S 1 v 

^ 'I > 

it a n < Y:^ uLJ) \ method oi Jo u! n m i iti „ i u <. < nprtsvs: 
< u'couh- 1< a connection table eac time a host ss 

another hosidjdjl 

at the end of a short npn;:1e peraai. accesMin> t!a- C"niKVb<m tabic ic determine new ho\-; 

pans, 

detersiii.nis.ig the number of new host, pairs added to the table over \ . s] »>p > late period; 

and 

if a host has made more than a first threshold number "Ci" host pairs, and the number of 
host pairs iB--t-ho--;t>;'-ofilo is smaller than the threshold number by a first, rhetor value "C2'\ then 
nc , a ! < j M >'v b< none* host is a scanner. 



2. (Original) The method of claim. 1 wherein "CI" and 'Vd" arc adjustable thresholds. 

^ 1 v )k! i ) U 3 i \ Hii lit I Hi ! 1 1 is 5 t i j t ^ 

connection table and host pair records are added to the current time slice connection table. 
4 pjngi a ' c it- KXi< -Lit,, ' ia:.ber comprising 

u <. »i o ? n i in i ii )i di v ni ! s>i<.? n 

ic k ) nj sea the era oi Is g up< tt p< i o S am 

!g sosts which pi od need more than "C3 W new host pairs over the long update 




period. 



at the end of the long update period, accessing the long up<te* - connection table to 
n t rs that the process had no ^reyiptjsj v tk mined be-to m m>£k 

- a i ! > | an<- aide i k> fin. • . ^ e 1 <. <. inxhne pc 

and 

if a host has made more than a first threshold number "OT host pairs, and the number of 
\ > ; < s m uk' h n thv thtcskoh nan \r i\ im ! aetm \a\c 

iiOK i o, new !n!\U i a seannei 

6. (Original) The method of claim 1 further comprising: 

5i. jtaini \dd ess Rest nil r Protocol (ARP) packet : statistics in the connection table 
>-sd, f vpao- s is iLk\ i mmbu >m>, *.ritu >K m h i < < om 

.^iv v > , m rs ^m sparse sub-nelttorks 

7. (Original f i he method of claim 1 wherein the scanning attack i > a pin • c ii 

attack, 

8. (Currently \iKiila* A method of detecting port scanning attacks, the method 
comprises: 

c v i i ogged values of pro toco ■> fe- 

piKi l^t' ( ^ i t t 5b v 

tn i >oriMKsod iii fx > > i iv i ► n u . m v ! v. 

s ^ a, <. , > i > pu '- \ "m ^ imd ' i ' ' v. 

t > i. k Hi i 1 t . ! i ( [ to 

em < t n 1 i >. 1 'In x f 1 < 

m anomaly; and 

*. e "'mi' to e*n sok 



> ; ? 'n > ' t Ov! > > is ^ ; • tei comprising- 



^ ! nv i t _ lU HlL^pO ng Hw stS OH 1 ^H'Ku 'ivpo\ i u'5 

1 * i he j ( i f (. 1 1 1 rein ie reported severit es 

<. Jv i * k hi' \ 

' > o >■ > ]jc :tc)\>«l e! c\um 8 iurthcr comprising: 

do's < r a in he t meet n tabic ^ i; tics iKau < csu <h pt <A- mo. 
WpvM.u'cs r\ packets to delect , i spike m the nombt ot KP j{ nd KAif port- 

unreachable packets relative to the profile to increase Ac seventy of a port scan event. 

1 ! MS t uJ Ok i 1 1 IS ! v w s [ <. ot ■> CO 

e pe e< t oorn i scans 

13. (Original) The method of claim 8 wherein determining occurs at the end of long 
x i <v it dt t althy s ans 

14. (Currently Amended) A computer program product residing on a computer readable 

i U «. i i i'Hh ! II Ml I 1 t ' n V v 1 

add host-pair connection records to a connection table each time a host accesses another 
host:[[,]| 

tt h v. < ' > ' j. 'kpu u! uom'i .uniuit. <<< j sc >. i ii nvn osj 

pairs; 

deOra'ciie die Kin. > ' >K» ho-t pairs added to Ik Sadie „ < k update * oo ,e. 

\ i 1 . ] i t iv 5 'id it!!\' i o , t 

- p o > ' >\ sr-i 5 v < ar k hie-, k d s i in ^ a " ,k i ee C d * or 

indicate io a console that the new host is a scanner. 

i t v ao 1 \u ,u ii » i ikmi 'ihn 14 \\ herein "01 " and "VX* are 
e add ^ . o 



fO xth v > , i v . in nxm ^ hum '4 i £ \ I iblc \s 

c tab id host pair records arc e c it time s 

connection table. 

17. (Original.! rhe corn puter program product of claim 16, farther comprising instructions 

to: 

aggreg \tc records from the current time-slice table into a long update period table, 
cheek for ping scans at the end of a long update period; and 
uK i i 'Ik'ii" ixi^ed more than "03" new ho-' n < > i e one t xk v 

period. 

1 H, (Original) The computer program product of claim 1 7 wherein instructions to 
xi X ( 1 \ < s to: 

< . c '! . d v. i. u ! h . it luiW i'iK ax v {< ») 

deteni m ei Tiber ot tew c t pairs added to the t mto <n e K 

and 

ri a f. tst a t s k ir.oje th.m a Inst hus icki numbc < V* ^ : xc> * the « .'«K« < f 
f 'niN !K Jx- <> t k s M'nk I'lii "he 1 k sh d nmnu h j f iV t <c c - \ ue 1 I - e} e 
indicate the new host as a scanner. 

(Oiis v ^ uner pn m wduei clan 1 1 at xi s, nst s 

•to; 

s \o i 1 oi (AR.P) p ' 
s unilx generated AllP renu that eh no receive resj i -test detect scans 

on sparse sub-netsvorks. 



20. (Current is Amended) A compute; po-gmrn product residmg m u computer readable 
t v. 1 '< .i . s k ,i m ui p< > ^ <. prises 
instructions for causing a processor to: 

l r K U S (.tv > i Iks .ij i t a h (. s s "or st i 

connections in the table; 

dc-tumi K a f n >n Ns < " p ■> s ! s vt 1 >t i u^'i -t ,v i 1 m 1 1 s v 'is OvW ^ -ovN . s 
a factor -'CI" than a current number of ports being scanned by a host and the current number is 
greate than a owes bourn thrc 10k C2 A to record the anomaly; and 

report a port scan to a console. 

21. (Original) 1 he computer program product of chum 20 further comprising instructions 

to: 

assign a severity level to the port scan and report the severity level of the port scan. 

22. (Original) The computer program product of chum . ^Uetetr h v. < e vw x 
sni^ is \! u Ne\ sat 0! i oi j ton eal norm. 

x N > > k p i ( udi ctof clain nprisin * 

to: 

determine from the connection table statistics about TCP reset {EST} packets and ICMP 
,,' ^ke m the number of RST packets and ICMP port- 
h <. i, i >1 ^ v\, v t x ^ a t (. 1 i< o, is } v t i v ap* >eaoe\ est 

24. ^Current \ \m>- u , * kppamius comprising; 

\ ^ v, ^ O ' 0* uks a>th >tts{ < 

circuitry to add host-pair connection records to a connection table each time a host 
access* - mo hes a a.;]| jj 

at the cauA* ■'hi ?s vodate pen<Kb -aeee-- . . ana on tab c to 

dcs.cn mv utv o . v:u 
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update period; and 

if a host has made more than a first threshold numbe < k>s v s id the uimberot 
• pairs i i t nailer th he ll esh ! 1 t u> )> t i 

ctrcui dieaten c« soic that the new host is a scanner. 

25. (Original; The apparatus of claim 24 wherein (1 and < ' are adjustable 
thresholds. 

'o < ' Hi J v i tiue t v w > 1 . 5. 1 <. 

slice connection table and host pair records are added to the current time slice connection tabic. 

27. (Origis i 1 fhe apparatus of claim 24, further comprising: 

circuitry to a s ;.<;<.. e. to coords from the current time slit e tab u\ c periot 

table; 

circuitry to check for ping scans at the end of a long update period; and 
circuitry to indicate hosts which produced more than "C3" new host pairs over the long 
update period. 

b cntl\ \ mended) Apparatus comprising: 
a i s s c\ tv.e; and 

i t i it, e , i * ^ i < ! od m„ < i p at v ? i xlc fo 

»H ! .\S 1 l.U! MtU ,!(!»! II VUlll tit; i i 1 ! 

the processing device to: 

s > conned records to t on iecti< table eac mc ho ses m x * tt 

hoshdj,]] 

at the end o*ht vt s ' ^ paate pmod. acceding the c(»nncclK>o table to determine rav beet 

pairs; 

determine the number of new host pairs added to the table over the update period; and 



if a host has nade i . , K^hold number "CI v.- ) < ^ < -n t *',\mvf <>i 

host pairs in the profile is smaller than the threshold Dumber by a first factor value then 
indicate to a console that the new host is a scanner. 

o iO i t v< it -><> Vlvt n 3 \!wrein «, n<j k 2 icaoKsudm 
thresholds. 

lit Mii t U in M ^Um 1'tl.l. iU <M \^ki<- UiAf f !K 

'KouTfu* oi , t*« v ao \ > \ ^euts are added t s < . 

^ ! (Grig t maraiusoiel n 28 wherein the con * -s odaet furthct 

emnptmis mo;n.k.'<:-m\ t<~ 

ivijutJic teeonh faun the current time-slice table into a long update period table; 

check for ping scans at the end of a long update period; and 

m if. e * > \% on -> p »d .k cd more than "C3" new host pairs over the long update 

period. 

{{ <.v,\\) i K ipp atiH of claim 28 further comprises instructions to; 
es- : ok pdute c oetion table at the i d of the lo pdeiep nod 
determine the number of new host pans added to the table over the long update period; 

and 

vi,' ^ mad threshold nb + ! nd ih 

> p e profile is smaik I itx threshold nun bet 33 a fi s factor 1 - < ^ ' icn 

indicate the new host as a scanner. 

33. (Current!) Amended A.pp atus comprising 
a processing device; 
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'< 41 > idablemt t fa >ly embodym computer program product 1 

detecting port scanning attacks, the computer program product comprise instructions Hot causing 
a processor to: 

(.MK < . US v. ' 4<L 1 > t Cits i is >< > »v i 

connections in the table; 

Js c > v • * ,.r\ v> po -iscoi a the m , <. 4efabiy smalle: b> 

< eing sea e current i imbes is 

greater than i owcj bound threshold C2 to record the anomaly; and 

;\ , ri OH! '< . <_ s^U 



34. (Original; The apparatus of claim 33 further comprising instructions to: 
assign a severity level to the port scan and report the severity level of the port scan. 

35. (Currently Amended) The apparatus of claim 34 wherein the reported severity varies 
asa mnct on *>i-hede\' Uii<n torn i^tuoea norm o ri >, < < t - m>>-< , y no 

>o «(»} i ■> i he „ opasatus of claim 34 further comprising instructions to: 

cction I hi £ tatistics about TCP reset (RS i ckets md fCMP 
1 1 a it,-!. ^ „ .( Ko u \vi ^ sp4 e m die number of RS 1 packets and ICMP port- 
m <t i h pae^eN relate e m u profile to increase the severity of a port scan event. 



